Lock Down AKS Finish to Finish with Software Gateway for Containers and Managed Cilium L7


Hi there Of us!

In case your AKS cluster seems to be like most manufacturing clusters I’ve walked by, certainly one of two issues is true. Both no one writes any community insurance policies and each pod can discuss to each different pod, so one compromised container blows up all the blast radius. Or anyone wrote just a few coarse guidelines alongside the traces of “namespace A talks to namespace B over port 80”, which sounds safe proper up till an attacker realizes that port 80 is precisely the place they had been planning to reside anyway. Actual assaults occur at Layer 7, dressed up like odd HTTP visitors, and L3 / L4 plumbing can not inform the distinction.

That’s the hole session MAIS09 from the Microsoft Azure Infrastructure Summit 2026 closes. Vyshnavi Namani and Darshil Shah from the Azure Networking product crew walked by how two AKS-managed add-ons, Software Gateway for Containers (AGC) and Cilium L7 through Superior Container Networking Companies (ACNS), can lock down all the path from the general public web to a single pod. No NGINX. No exterior WAF equipment. No third-party CNI to babysit.

📺 Watch the session:

 

Let me lower to the chase. When you function AKS clusters as we speak, this session issues as a result of:

  • You in all probability nonetheless have an ingress controller and an exterior WAF stitched along with annotations and prayers. AGC plus ACNS collapses that stack into first-party add-ons that AKS owns finish to finish.
  • Each Software Gateway for Containers and Superior Container Networking Companies are typically out there. This isn’t a preview demo, that is manufacturing.
  • Safety is lastly readable. Each rule is a YAML object. Code evaluation, audit, GitOps. No extra “what does this NGINX config map even do anymore” archaeology.
  • It really works on an actual assault sample. The demo reveals WAF killing a SQL-injection-style GET that Cilium would have fortunately forwarded, as a result of the tactic (GET) was on the permit listing.

When you have ever needed to clarify to an auditor why a single compromised pod may pivot throughout your complete cluster, that is your exit ramp.

Most clusters are protected by a load balancer on the edge and principally nothing inside. The cluster door seems to be like a vault, however the hallways are huge open. Cilium calls this the lateral motion drawback, and it’s precisely how Kubernetes assaults unfold within the wild. Compromise a pod, then telephone house, then pivot.

What MAIS09 demonstrates is one thing totally different. AGC is the L7 entrance door (the metallic detector on the foyer). ACNS Cilium L7 is the lock on each pod’s workplace door. Each converse HTTP. Each implement identification. Each are managed by AKS itself.

The legacy various, Software Gateway Ingress Controller (AGIC), bolted a full Software Gateway onto your cluster by a translator. Two providers, two lifecycles, two finger-pointing groups when one thing broke. AGC is the successor, constructed from scratch for Kubernetes, talking the Gateway API natively, enabled with a single AKS flag. AKS provisions the controller, wires the identification, delegates the subnet, and owns the upgrades. You personal the insurance policies.

Right here is the psychological mannequin from the session. Image 4 concentric layers of protection between the general public web and a pod.

  1. AGC entrance finish. One Azure useful resource, one public DNS title, and (due to the Kubernetes Gateway API) a number of hostnames behind the identical IP. The demo runs Contoso, Fabrikam, and Journey Works on a single AGC public IP utilizing three HTTPRoute objects. One infrastructure, three web sites. Actual value financial savings, actual possession readability (platform owns the Gateway, app groups personal the HTTPRoutes).
  2. Azure WAF on AGC. That is the content material inspector. It runs the OWASP Core Rule Set (DRS 2.1 within the demo) towards each incoming request, seems to be for SQL injection, cross-site scripting, path traversal, and the remainder of the OWASP High 10, and returns a 403 earlier than the packet ever touches your pod. Microsoft maintains the rule set, you bind it to AGC through a SecurityPolicy.
  3. ACNS Cilium L7 ingress on each pod. That is the place identity-based coverage lives. Guidelines key off pod labels, not IPs, as a result of IPs change each time the cluster autoscaler does its job. The demo makes use of an allow-agc-l7-get-only CiliumNetworkPolicy that lets the AGC backend attain the tenant pods, however solely with GET or GET /merchandise. The rest, POST, PUT, DELETE, will get a Cilium-synthesized 403 earlier than NGINX ever sees the request.
  4. ACNS east-west and egress coverage. Two extra insurance policies do the heavy lifting inside. client-may-call-contoso-get-only lets the shopper pod attain Contoso with GET, and solely Contoso. A default-deny baseline blocks every part else (pod-to-pod and pod-to-internet) with a single carve-out for kube-dns on port 53.

The magic is that the identical Cilium engine handles north-south, east-west, and egress with one constant identification mannequin. eBPF within the Linux kernel does the enforcement on the identical node because the pod, so the choice occurs earlier than the packet leaves the host. No sidecars, no iptables sprawl, no daemonset it is advisable improve by hand.

The demo walks by six assessments and the outcomes map immediately onto issues you might be in all probability making an attempt to unravel proper now:

  • Multi-site internet hosting on one IP. Three hostnames, one AGC, three 200 OKs from three totally different backend pods. If you’re paying for 3 load balancers as we speak, you possibly can cease.
  • WAF blocks a malicious GET that ACNS would have let by. That is the punch line of why you want each layers. The tactic (GET) is on the Cilium permit listing, however the payload is a SQLi sample. WAF returns 403 on the edge. Protection in depth, working as marketed.
  • Technique enforcement on the pod door. GET returns 200, POST/PUT/DELETE return 403, GET /admin returns 403, GET /merchandise returns 200. Cilium is doing precise HTTP inspection, not simply dropping packets.
  • East-west enforcement with readable verdicts. Consumer to Contoso GET is 200. Identical shopper, similar vacation spot, POST is 403 (L7 deny, TCP accomplished). Consumer to Fabrikam is 000 (L4 drop, no TCP handshake). Studying the distinction between 403 and 000 is now a debuggable sign, not a thriller.
  • Default-deny egress kills phone-home. A pod tries to succeed in bing.com. DNS resolves (the carve-out works), TCP SYN goes nowhere, wget offers up with exit code 1. If that pod was compromised and making an attempt to exfiltrate information, that is the place the assault chain dies.
  • Selective permit nonetheless works. Identical pod, similar instruments, however a DNS lookup towards kube-dns contained in the cluster returns immediately. We didn’t unplug the community. We locked it down with a goal.

Trustworthy tradeoffs to name out. The session doesn’t faux every part is free. AGC introduces a billed subnet affiliation and a managed identification you don’t handle in BYO mode. Cilium L7 wants the Cilium information aircraft (ACNS Container Community Safety features are Cilium-only). The Envoy proxy that handles L7 inspection has a price solely whenever you really implement L7, which is a good deal in my e book.

If you wish to do that on a cluster of your personal, three flags do a lot of the work on az aks create:

  • –network-dataplane cilium (activates the eBPF information aircraft)
  • –enable-acns (permits Superior Container Networking Companies, together with Hubble observability and Cilium L7 coverage)
  • –enable-app-routing or the ALB add-on flag (provisions the AGC controller as an AKS-managed add-on)

From there you write 4 YAML objects: a default-deny CiliumNetworkPolicy, an allow-DNS carve-out, an AGC ingress permit with technique and path constraints, and your east-west permit guidelines. The session repo contains the total set so you possibly can clone and comply with alongside.

One bonus price realizing about. ACNS ships Hubble out of the field, with pre-built Azure Managed Grafana dashboards. Stream logs, service maps, coverage hit counts. Even on pods that aren’t but below L7 enforcement, you get observability without spending a dime. When one thing breaks at 2 a.m., you may have an audit path as a substitute of a tcpdump.

If MAIS09 hit the spot, there are dozens extra periods in the identical playlist protecting AKS networking at scale, Azure Native, AVM, the brand new Deployment Agent, and much more. Seize a espresso and binge.

Microsoft Azure Infrastructure Summit 2026 playlist

Cheers!

Pierre Roman

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles